search

ccontavalli / ssh-ident

Different agents and different keys for different projects, with ssh.
Other
964 stars 71 forks source link

confirm key usage only when agent forwarding #15

Closed Yannik closed 8 years ago

Yannik commented 8 years ago

Hi,

would it be possible to have the agent only confirm the key usage (ssh-add '-c' option) when it has been forwarded using agent forwarding? This would allow using the keys on the local host without jumping through additional hoops, but compromised remote hosts wouldn't be able to abuse forwarded agents.

ccontavalli commented 8 years ago

I don't know of any way to get ssh-agent to ask for confirmation only when the request comes from a remote host / forwarded ssh-agent connection / after the agent connection was forwarded - sorry.

I agree it would be a great feature to have, but not sure we can do anything on the ssh-ident side. Eg, we can control if to forward an agent-connection or not, but once forwarded, I can't think of any way we could force -c to be added? short of removing the key and re-adding it, which would require either asking the passphrase again (defeating the convenience), or storing the passphrase or the cleartext key in ssh-ident (which imho are non-starters, and a whole can of worms).

If you have any suggestions on how we could implement this, please re-open the bug. In the mean time, given there's nothing we can do here, I'm closing it.

Yannik commented 8 years ago

@ccontavalli From my understanding of openssh, the remote server is directly communicating with the local ssh-agent (which is forwarded to the remote server). Therefore, it does require changes to openssh to enable the ssh-agent to differentiate between requests from a local ssh process, and from a ssh process on a remote server (via ssh-agent forwarding).

As the current situation of a) not requiring confirmation but opening yourself to a huge potential security issue or b) always requiring confirmation which can be a big hassle

is really unsatisfying, I wrote a few modifications to openssh, which you can find at https://github.com/Yannik/openssh-always-confirm-forwards

It is a really dirty solution (I got little experience in C), but it does serve the purpose well enough for me right now.

mc0e commented 8 years ago

https://github.com/tiwe-de/ssh-agent-filter provides a way to do this using a filtering proxy in front of the ssh-agent.